Category Archives: Research

Research Projects

WayCare Accident Prediction in Las Vegas

September 2017, the startup WayCare will begin a 6 month pilot of artificial intelligence (AI) in Las Vegas.  The AI will monitor traffic of I-15 and US 95 then predict congestion and possible traffic accidents.  The intent is to predict within 2 hours where first responders within a coalition of city, state, and county agencies should place their vehicles.  The hope is that by preparing resources ahead of time that they may be able to prevent accidents.

Some of the analytics may assess predictions based on the angle of the sun, debris on a lane, or perhaps even a dust cloud.  The WayCare project is estimated to cost tens of thousands of dollars.  The next cities which may potentially explore a pilot with WayCare are Ft Lauderdale and Tampa, Florida.

LulSecPilipinas & PI’s Data Privacy

It started with Manila's National Privacy Commission (NPC), the agency which mandated to implement Republic Act 10173, or the Data Privacy Act (DPA) and then resulted in March 28th, 2016 with 

 A great lol to Commission on Elections, here's your whoooooole database.

LulzSec Pilipinas had exposed data (posted a mega sized .zip file of data) which included publicly available information and also voter data, voter registration data, and databases relevant to the functionality of the Commission on Elections (Comelec) website.  Less than a year later on January 11, 2017, a computer was stolen from Comelec's office in Wao, Lanao del Sur.  That computer contained a copy of the voter registration system, voter search applications, and the whole database of registered voters.  

In most organizations with the maturity of technology there comes a convergence of assets important to multiple areas of compliance and protection.  In the case of Manila, it is the National Privacy Commision (NPC) which concerns itself with data privacy and then there is the Department of Informaiton and Comunications Technology which concerns itself strictly with the technical intricacies within the systems.  The gap of organizational management and physical management has become just as important as the technical measures which were put into place.  


Chrome engineer proposing to take hatchet to Symantec certs

As possible fallout after a late response (30 days) to inquiries by Mozilla and Google to Symantec about test certs Symantec had issued for w/o Google’s knowledge back in 2015, Google Chrome may (at this point internally proposing – not a scheduled implementation) stop recognizing the (full) validity of Symantec certs after fixed durations.

Google currently (with Chrome 57) distrusts Symantec issued certs at their face value but with Chrome 59 would reduce it to 33 months (1023 days) then with Chrome 60 it would reduce to 27 months..and so forth. Eventually Chrome would only recognize Symantec certs as valid for a maximum date from issuance of 9 months (279) days.

Here is the proposed Chrome rollout schedule:
59 Jun 6th, 2017
60 Aug 1st, 2017
61 Sep 12th, 2017
62 Oct 24th, 2017
63 Dec 12th, 2017

Many companies currently use GeoTrust and Thawte which are operated by Symantec. This means those companies would need to accept Chrome’s requirement for re-issuance more frequently or else change their CA root authorities (i.e. find another cert vendor.) Symantec currently holds approximately 35-40% of the cert market. (Remember the days when Thawte was the independent underdog?)

This is all hay at this point but something worth tracking if ever so diligently or out of curiosity. The discussion has been led along by Ryan Sleevi – the Chrome engineer at Google proposing it.

Google Sites and Chrome For Dummies

New From: $10.99 USD In Stock

105 busted in global credit card fraud

What do the UK, Netherlands, Germany, Belgium, and Malaysia all have in common?
If you answered "a Credit Card syndicate which was disrupted by Europol's European Cybercrime Centre (EC3)" then you are correct.

The Organized Criminal Group (OCG) which was creating and abusing counterfeit credit cards all across Europe and in Malaysia recently had 3,000 counterfeit cards confiscated along with jewelry, cash, and fake passports.  

OCG was created in Malaysia and has been committing credit card fraud schemes by abusing less secure locations for shopping such as duty-free shops in airports and electronic stores and buying high priced ticket items.  Through cooperation of American Express with the EC3 and local law enforcement around the globe, the investigation running since end of 2015 was able to successfully capture 105 suspects.

Chromecast exploit package spawns a root shell on port 23

GTVHacker has stated:

How does the exploit work?

Lucky for us, Google was kind enough to GPL the bootloader source code for the device. So we can identify the exact flaw that allows us to boot the unsigned kernel. By holding down the single button, while powering the device, the Chromecast boots into USB boot mode. USB boot mode looks for a signed image at 0×1000 on the USB drive. When found, the image is passed to the internal crypto hardware to be verified, but after this process the return code is never checked! Therefore, we can execute any code at will.

ret = VerifyImage((unsigned int)k_buff, cpu_img_siz, (unsigned int)k_buff);

The example above shows the call made to verify the image, the value stored in ret is never actually verified to ensure that the call to “VerifyImage” succeeded. From that, we are able to execute our own kernel.

If you are in Vegas for DEF CON 21, check out – Google TV: Or How I Learned to Stop Worrying and Exploit Secure Boot by GTVHacker this Friday, August 2nd, at 3PM in the Penn and Teller Theater!